163 lines
No EOL
6.7 KiB
JSON
163 lines
No EOL
6.7 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--0733f160-8e52-4548-a4c8-19a1cfb41d0d",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2021-02-04T21:50:11.000Z",
|
|
"modified": "2021-02-04T21:50:11.000Z",
|
|
"name": "Centre for Cyber security Belgium",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--0733f160-8e52-4548-a4c8-19a1cfb41d0d",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2021-02-04T21:50:11.000Z",
|
|
"modified": "2021-02-04T21:50:11.000Z",
|
|
"name": "zloader: VBA, R1C1 References, and Other Tomfoolery",
|
|
"published": "2023-02-22T14:12:11Z",
|
|
"object_refs": [
|
|
"indicator--9c87b754-6bc2-414d-82e9-0d07f2130be7",
|
|
"x-misp-object--5ef34e5a-b2a8-4ca8-8a0e-44f6ac13a7a7",
|
|
"x-misp-object--5ef34e3c-f70c-4526-9abb-44f6ac13a7a7"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"zloader",
|
|
"inthreat:event-src=\"feed-osint\"",
|
|
"admiralty-scale:information-credibility=\"2\"",
|
|
"admiralty-scale:source-reliability=\"b\"",
|
|
"workflow:state=\"complete\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--9c87b754-6bc2-414d-82e9-0d07f2130be7",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2020-06-24T10:50:40.000Z",
|
|
"modified": "2020-06-24T10:50:40.000Z",
|
|
"pattern": "[file:hashes.SHA256 = 'b29c145d4b78daed34dea28a0a11bab857d5583dc6a00578a877511d0d01d3d2']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2020-06-24T10:50:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--5ef34e5a-b2a8-4ca8-8a0e-44f6ac13a7a7",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2020-06-24T13:00:10.000Z",
|
|
"modified": "2020-06-24T13:00:10.000Z",
|
|
"labels": [
|
|
"misp:name=\"whois\"",
|
|
"misp:meta-category=\"network\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "domain",
|
|
"object_relation": "domain",
|
|
"value": "procacardenla.ga",
|
|
"category": "Network activity",
|
|
"to_ids": true,
|
|
"uuid": "5ef34e5a-6d34-4a50-87a8-44f6ac13a7a7"
|
|
},
|
|
{
|
|
"type": "domain",
|
|
"object_relation": "domain",
|
|
"value": "datalibacbi.ml",
|
|
"category": "Network activity",
|
|
"to_ids": true,
|
|
"uuid": "5ef34e5b-ac9c-41e2-91a5-44f6ac13a7a7"
|
|
},
|
|
{
|
|
"type": "domain",
|
|
"object_relation": "domain",
|
|
"value": "wireborg.com",
|
|
"category": "Network activity",
|
|
"to_ids": true,
|
|
"uuid": "5ef34e5b-a1b0-4af0-8636-44f6ac13a7a7"
|
|
},
|
|
{
|
|
"type": "domain",
|
|
"object_relation": "domain",
|
|
"value": "zmedia.shwetech.com",
|
|
"category": "Network activity",
|
|
"to_ids": true,
|
|
"uuid": "5ef34e5b-6df8-49d5-9b09-44f6ac13a7a7"
|
|
}
|
|
],
|
|
"x_misp_comment": "Domains",
|
|
"x_misp_meta_category": "network",
|
|
"x_misp_name": "whois"
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--5ef34e3c-f70c-4526-9abb-44f6ac13a7a7",
|
|
"created_by_ref": "identity--5cf66e53-b5f8-43e7-be9a-49880a3b4631",
|
|
"created": "2020-06-24T12:59:40.000Z",
|
|
"modified": "2020-06-24T12:59:40.000Z",
|
|
"labels": [
|
|
"misp:name=\"annotation\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "ref",
|
|
"value": "https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/",
|
|
"category": "External analysis",
|
|
"uuid": "5ef34e3c-3620-41b8-a096-44f6ac13a7a7"
|
|
},
|
|
{
|
|
"type": "link",
|
|
"object_relation": "ref",
|
|
"value": "https://twitter.com/abuse_ch",
|
|
"category": "External analysis",
|
|
"uuid": "5ef34e3c-3110-40af-8f22-44f6ac13a7a7"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "text",
|
|
"value": "zloader: VBA, R1C1 References, and Other Tomfoolery\r\nJune 19, 2020 ~ Jamie\t\r\n\r\nThe other day, @reecDeep tweeted about new behavior from zloader documents. Another document from the same campaign crossed my path and I decided to take a crack at it.",
|
|
"category": "External analysis",
|
|
"uuid": "5ef34e3c-d9e4-4ca8-957b-44f6ac13a7a7"
|
|
}
|
|
],
|
|
"x_misp_comment": "External Analysis",
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "annotation"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |